Blog Post

The Real Privacy Threat Is From Offline (Not Online) Marketers

Andrew Pancer is COO of the social ad-targeting company Media6Degrees. Prior to that, he was Vice President of Digital Development for the New York Times (NYSE: NYT) and, before that, COO of

Are we all looking in the wrong places for privacy risks?

I pulled the following disclaimer from the privacy policy of a large retailer in regards to its rules around catalog mailing and other offline marketing: “From time to time we might establish a business relationship with other persons or entities whom we deem trustworthy and whose privacy policies are consistent with ours. In such cases we might share information, including personally identifiable information about you, that will enable such persons or entities to contact you regarding products and services that may be of interest to you.”

To opt out of receiving this company’s catalog or opt out of its sharing of information with third parties, you must call or email the company. It takes 10 days to process an email request, and six to eight weeks to process a postal mail request.

Congress and the media have been all over the online community about risks to privacy and the need for more transparency, notice and choice, and there, of course, has been talk of new “Do Not Track” rules. But is the relentless focus on internet marketers deflecting attention from more worrisome practices in the offline world?

Offline marketers collect and share more information on consumers than their online counterparts do — and it’s more cumbersome for consumers in the offline world to effect change to those practices. Unlike offline marketers, the vast majority of online marketers simply don’t collect personally identifiable information, or PII, unless there is an explicit opt-in from consumers.

For me, the latest reminder of the laxness of rules guiding offline marketing came over the Christmas break, when just about every day my mailbox was cluttered with (unwanted) catalogs sent to me via the use of personally identifiable information. The above example was pulled from one of those catalogs. Here’s another disclaimer from one of the largest catalog distributors in the United States: “Whenever you shop in our stores… we obtain from you the information we need to complete your transaction. This information may include your name, address, telephone number, driver’s license number, birth date, and email address. If you use a credit or debit card or pay by check, it will include your account number.”

Note: Online marketers don’t collect data like credit-card numbers or driver’s license information.

The disclaimer continues: “We may also obtain information about other people from you. For example, if you order a gift to be delivered directly to a friend, you would need to give us the friend’s name and address.”

Hmmm. This sounds a lot like Facebook’s Beacon program, which the company was forced to drop after getting hammered by negative publicity.

More from the disclaimer: “We also collect consumer information from third-party providers in order to improve the accuracy of our customer database or increase our understanding of our customers. For example, we get updated addresses from the National Change of Address (NCOA) service, licensed by the U.S. Postal Service, to assist us in having the correct addresses for our customers.”

Remember: The idea of online marketers merging their own customer data with third-party data on those same customers – which is what the catalog company is saying it does in the previous paragraph — is seen as completely scary and creepy, and becomes front-page news in The Wall Street Journal.

And does this catalog distributor share information with third parties?

“We provide information to responsible outside companies. These carefully selected companies may use the information we share to let you know about their products or services, which may include providing special offers to you.”

To opt out of these initiatives, you will need to mail, call or email the company.

Most of the catalogs we received were from companies neither my wife nor I have ever purchased from. The retailers who sent them purchased my name from a list. The information for the list may have come from one of the retailers referred to above. Working in the advertising-technology industry, I obviously believe in the power of direct marketing. But let’s compare the data being discussed in the scenarios above — personally identifiable information (PII) such as telephone number, driver’s license and even “friends” — to the sort of consumer data that is typically being collected, used and sold for online behavioral targeting (OBA).

The standard OBA data includes sites you visit, inferred gender, location and maybe even stated interests. These are all done in anonymous fashion. Yes, there have been studies that show you could possibly reverse engineer some of the data back to an individual. But that requires a significant amount of work and would likely apply to only a small percent of any database. Offline data collection is very detailed and widely shared.

Yet the digital industry remains in the center of the maelstrom. The offline and online worlds also differ in how easy they make it for consumers to say no to having their data collected and used. Yahoo (NSDQ: YHOO) was the first big digital publisher to roll out the Advertising Option icon across its network last quarter – this gives consumers the option to know who served the ad, learn about OBA, and opt out of targeted advertising. In the case of Yahoo, it takes all of three clicks of the mouse to do this. Numerous companies, including my own, Media6Degrees, have now started to deploy the icon on all display advertisements being served. By the end of this quarter, the icon will be ubiquitous.

Compare that to the requirements outlined in the two examples above. Both require either phone, mail or email. Neither is quick and easy. To try to circumvent this process, I went to the Direct Marketing Association’s web site to look at its opt-out mechanisms for catalog mailing. If you want to opt out of any particular catalogs, the DMA provides the contact address for each individual company. The consumer then needs to contact each one. There is a “global” opt-out, but that will not work for any company you have ever made a purchase with. For those companies you need to contact them directly.

Over 20 states have introduced “Do Not Mail” bills in the past five years, and all of them have failed. (Do Not Mail is the direct- mail equivalent of the Do Not Call registry.) In 2010, Seattle and San Francisco passed resolutions calling for a Do Not Mail registry, but those resolutions are only advisory and have not led to any legislation to date. And there is no proposed legislation pending on a national level. similar to the national do not call registry, where you can opt out of all direct mail.

Our industry is going through a radical transition to allow consumers to have much higher levels of transparency and choice regarding what data is collected about them and how it is used. I could not agree more that as an industry we have not done enough to educate consumers about how OBA works, how it supports the internet ecosystem, and how it improves their user experience (the alternative being punch-the-monkey ads and dancing cowboys). But in light of the data sharing, usage and opt-out mechanics of the catalog industry outlined above, it seems that the privacy advocates are focusing their efforts in the wrong direction.

This article originally appeared in Media6Degrees.

2 Responses to “The Real Privacy Threat Is From Offline (Not Online) Marketers”

  1. Georgette Asherman

    I thought about this overnight – what is the difference of direct mail and extracting links from Facebook. I worked in direct mail. People who make a career of it are very defensive. They offer options to not be mailed. But people who like to receive it have some idea that lists are sold, updated etc. Why should they feel differently about an unprotected Facebook account?

    This is the difference. When you pull a record for direct mail label, it is based on the conditions stated in the line from the list. The fact that you might know people on this list doesn’t matter. It is not about the relationships between the rows of the list. So even though you know Jane from a trip to Vail, being on a
    list with her is not a statement of your personal connection. But why people expose their connections and then demand privacy from a commercial service makes no sense.